Security Experts:

Linux Worm Targets "Internet of things"

Malware hunters have stumbled upon a new Linux worm squirming through an old PHP vulnerability to infect hidden, Internet-enabled devices.

Linux Malware

The worm, named Linux.Darlloz by Symantec, is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.  The company said variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.

The worm spreads by exploiting a previously known vulnerability in PHP which was patched in May 2012.  Symantec researcher Kaoru Hayashi said the creator of the worm used proof-of-concept code that was released in late Oct 2013.

Technical details:

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

Hayashi said the attacker is hosting some variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

"The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet," Hayashi said.

To make matters worse, Hayashi said many users of hidden operating systems may not be aware that they are using vulnerable devices in their homes or offices. "Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software," he added.

To mitigate this threat, Symantec recommends that users:

  • Verify all devices connected to the network
  • Update their software to the latest version
  • Update their security software when it is made available on their devices
  • Make device passwords stronger
  • Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

-/cgi-bin/php

-/cgi-bin/php5

-/cgi-bin/php-cgi

-/cgi-bin/php.cgi

-/cgi-bin/php4

Related Resource: Designing Security for Newly Networked Devices

Related Resource: Building Firewalls for Embedded Systems

Related Resource: Best Practices for Testing Secure Applications for Embedded Devices

view counter
Ryan is the host of the SecurityWeek podcast series "Security Conversations". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.